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1.You are using the Vault userpass auth method mounted at auth/userpass. 

How do you create a new user named "sally" with password "hOWNOwB4r0wnCOw"? 
This new user will need the power-users policy. 

A) 


vault put auth/userpass/users/sally \ 
password=hewhiwh4rGwnCéw \ 


policies=power-users 
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vault write userpass/sally \ & 
password=hOwiiwh4rQ@wnCdw |, S 
y 
policies=power-users eo 
> 
oe 
© 
K 
C) l? 
xO 
& 
eo 
V 


vault kv write userpass/sally \ > 
password=hewhGwh4rGwnCGw \ 
policies=power-users 
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D) 


vault write auth/userpass/users/sally ‘, 
password=hG@wl@wb4rOwnCbw \ 


policies=power-users 


A. Option A 
B. Option B 
C. Option C 
D. Option D 
Answer: D 

Explanation: 


To create a new user named “sally” with password “hOWNOwB4r0wnCOw’” and the 
power-users policy, you would use the Vault userpass auth method mounted at 
auth/userpass. You would use the following command: “vault write 
auth/userpass/users/sally password=hOwNOwB4r0wnCOw policies=power-users”. 
This command would create a new user named “sally” with the specified password 
and policy. 

Reference: [Userpass Auth Method | Vault | HashiCorp Developer] 

[Create Vault policies | Vault | HashiCorp Developer] 


2. The vault lease renew command increments the lease time from: 
A. The current time 


B. The end of the lease > 

Answer: A P 

Explanation: rad 

The vault lease renew command increments the lease time frafn the current time, not 


i S a ; 
the end of the lease. This means that the user can reques @ specific amount of time 


they want remaining on the lease, termed the incremente is is not an increment at 
the end of the current TTL; it is an increment from theseurrent time. For example, vault 
lease renew -increment=3600 my-lease-id would request that the TTL of the lease be 
adjusted to 1 hour (8600 seconds) from now. Having the increment be rooted at the 
current time instead of the end of the lease es it easy for users to reduce the 
length of leases if they don’t actually need,€redentials for the full possible lease 
period, allowing those credentials to expire sooner and resources to be cleaned up 
earlier. The requested increment is gsmpletely advisory. The backend in charge of the 
secret can choose to completely igfiore it1. 

Reference: Lease, Renew, angRevoke | Vault | HashiCorp Developer 


3.HOTSPOT v 

Where do you defige'the Namespace to log into using the Vault UI? 

To answer this question 

Use your moug® to click on the screenshot in the location described above. An arrow 
indicator will mark where you have clicked. Click the "Answer" button once you have 
positioned the arrow to answer the question. You may need to scroll down to see the 
entire screenshot. 


Sign in to Vault 


Namespace finance 


Method 


LDAP 


Username 


jake 


Password 


eeeeee ee eeeeeeeeee 


a Hide options 


Mount path 


Idap-mo 


© if this backend was mounted using a non-default path, enter it 
here. 


Answer: 

The namespace can be defined in the “Mount path” field in the “Advanced options” 
section of the login screen. The mount path is the path where the auth method is 
enabled, and it can include a namespace prefix. For example, if the LDAP auth 
method is enabled at the path ns1/auth/Idap, where ns1 is the namespace, then the 


mount path field should be set to ns1/auth/Idap. This way, the 

Vault UI will log in to the correct namespace and auth method. Alternatively, the 
namespace can also 

be specified in the URL of the Vault UI, such as 
https://vault.example.com/ui/vault/auth/ns1/auth/Idap/login. 


4.You have a 2GB Base64 binary large object (blob) that needs to be encrypted. 
Which of the following best describes the transit secrets engine? 

A. A data key encrypts the blob locally, and the same key decrypts the blob locally. 

B. To process such a large blob. Vault will temporarily store it in the storage backend. 
C. Vault will store the blob permanently. Be sure to run Vault on a compute optimized 


machine > 
D. The transit engine is not a good solution for binaries of this size Pa 
Answer: D oad 
Explanation: af 


The transit secrets engine is not a good solution for binari Sf this size, because it Is 
designed to handle cryptographic functions on data in -transit, not data at-rest. The 
transit secrets engine does not store any data sent todt; so it would require sending 
the entire 2GB blob to Vault for encryption or decrygstion, which would be inefficient 
and impractical. A better solution would be to ugéthe transit secrets engine to 
generate a data key, which is a high-entropy key that can be used to encrypt or 
decrypt data locally. The data key can be géturned in plaintext or wrapped by another 
key, depending on the use case. This way, the transit secrets engine only handles the 
encryption or decryption of the data a Key, not the data itself, and the data can be 
stored in any primary data store. ot 
Reference: Transit - Secrets Eggines | Vault | HashiCorp Developer, Encryption as a 
service: transit secrets engigé | Vault | HashiCorp Developer 
oe 
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5.How would you deStribe the value of using the Vault transit secrets engine? 
A. Vault has an API that can be programmatically consumed by applications 
B. The transit sécrets engine ensures encryption in-transit and at-rest is enforced 
enterprise wide 
C. Encryption for application data is best handled by a storage system or database 
engine, while storing encryption keys in Vault 
D. The transit secrets engine relieves the burden of proper encryption/decryption from 
application developers and pushes the burden onto the operators of Vault 
Answer: D 
Explanation: 
The transit secrets engine relieves the burden of proper encryption/decryption from 
application developers and pushes the burden onto the operators of Vault. The transit 
secrets engine provides encryption as a service, which means that it performs 


cryptographic operations on data in-transit without storing any data. This allows 
developers to delegate the responsibility of managing encryption keys and algorithms 
to Vault operators, who can define and enforce policies on the transit secrets engine. 
This way, developers can focus on their application logic and data, while Vault 
handles the encryption and decryption of data in a secure and scalable manner. 
Reference: Transit - Secrets Engines | Vault | HashiCorp Developer, Encryption as a 
service: transit secrets engine | Vault | HashiCorp Developer 


6.What is the Vault CLI command to query information about the token the client is 
currently using? 
A. vault lookup token 


B. vault token lookup > 
C. vault lookup self Ps 
D. vault self-lookup ad 
Answer: B ak 

s 
Explanation: 


The Vault CLI command to query information about the token the client is currently 
using is vault token lookup. This command displays ipformation about the token or 
accessor provided as an argument, or the locally asthenticated token if no argument 
is given. The information includes the token ID, acessor, policies, TTL, creation time, 
and metadata. This command can be useful fer debugging and auditing purposes, as 
well as for renewing or revoking tokens. 
Reference: token lookup - Command | vault | HashiCorp Developer, Tokens | Vault | 
HashiCorp Developer Fa 
o 

se 
7.Which of the following is affachine- oriented Vault authentication backend? 
A. Okta P 
B. AppRole Ka 
C. Transit Po 
D. GitHub „8 
Answer: B 
Explanation: 
AppRole is a machine-oriented authentication method that allows machines or 
applications to authenticate with Vault using a role ID and a secret ID. The role ID is a 
unique identifier for the application, and the secret ID is a single-use credential that 
can be delivered to the application securely. AppRole is designed to provide secure 
introduction of machines and applications to Vault, and to support the principle of 
least privilege by allowing fine-grained access control policies to be attached to each 
role1. 
Okta, GitHub, and Transit are not machine-oriented authentication methods. Okta and 
GitHub are user-oriented authentication methods that allow users to authenticate with 


Vault using their Okta or GitHub credentials23. Transit is not an authentication 
method at all, but a secrets engine that provides encryption as a service4. 
Reference: AppRole Auth Method | Vault | HashiCorp Developer 

Okta Auth Method | Vault | HashiCorp Developer 

GitHub Auth Method | Vault | HashiCorp Developer 

Transit Secrets Engine | Vault | HashiCorp Developer 


8.Security requirements demand that no secrets appear in the shell history. 
Which command does not meet this requirement? 

A. generate-password | vault kv put secret/password value 

B. vault kv put secret/password value-itsasecret 


C. vault kv put secret/password value=@data.txt > 
D. vault kv put secret/password value-SSECRET_ VALUE Ps 
Answer: B ad 


Explanation: af 
The command that does not meet the security requirement, not having secrets 


appear in the shell history is B. vault kv put secret/password value-itsasecret. This 
command would store the secret value “itsasecret” in dhe key/value secrets engine at 
the path secret/password, but it would also exposesthe secret value in the shell 
history, which could be accessed by other userg@r malicious actors. This is not a 
secure way of storing secrets in Vault. a 
The other commands are more secure ways of storing secrets in Vault without 
revealing them in the 5 

. S 
shell history. ea 
A. generate-password | vault kv ryt secret/password value would use a pipe to pass 
the se 
output of the generate-passyford command, which could be a script or a tool that 
generates a S 
random password, to th vault kv put command, which would store the password in 
the key/value Oo 
secrets engine atthe path secret/password. The password would not be visible in the 
shell history, 
only the commands. 
C. vault kv put secret/password value=@data.txt would use the @ syntax to 
read the secret value from a file named data.txt, which could be encrypted or 
protected by file 
permissions, and store it in the key/value secrets engine at the path secret/password. 
The file name 
would be visible in the shell history, but not the secret value. 
D. vault kv put secret/password value- 
SSECRET_VALUE would use the -S syntax to read the secret value from the 
environment variable 


SECRET VALUE, which could be set and unset in the shell session, and store it in 

the key/value 

secrets engine at the path secret/password. The environment variable name would be 
visible in the 

shell history, but not the secret value. 

Reference: [Write Secrets | Vault | HashiCorp Developer] 


9.You can build a high availability Vault cluster with any storage backend. 
A. True 


B. False 
Answer: B 
Explanation: > 


Not all storage backends support high availability mode for Vault. Qoy the storage 
backends that support locking can enable Vault to run in a multi-gérver mode where 
one server is active and the others are standby. Some exam of storage backends 
that support high availability mode are Consul, Integrated Sforage, and ZooKeeper. 
Some examples of storage backends that do not supporphigh availability mode are 
Filesystem, MySQL, and PostgreSQL. oe 
Reference: oe 
https://developer.hashicorp.com/vault/docs/congépts/hat 
https://developer.hashicorp.com/vault/docs/geAfiguration/storage2 
S 


¢ 
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10.What command creates a secretsith the key "my-passwora" and the value 
"53cr3t" at path "my-secrets" witha the KV secrets engine mounted at "secret"? 
A. vault kv put secret/my-secrets/my-password 53cr3t 
B. vault kv write secret/my-gétrets/my-password 53cr3t 
C. vault kv write 53cr3t ray¥secrets/my-password 
D. vault kv put secret/miy-secrets »y-password-53cret 
Answer: A Po 
Explanation: - 
The vault kv put command writes the data to the given path in the K/V secrets engine. 
The command requires the mount path of the K/V secrets engine, the secret path, 
and the key-value pair to store. The mount path can be specified with the -mount flag 
or as part of the secret path. The key-value pair can be given as an argument or read 
from a file or stdin. The correct syntax for the command is: vault kv put -mount=secret 
my-secrets/my-password 53cr3t or 
vault kv put secret/my-secrets my-password=58crot 
The other options are incorrect because they use the deprecated vault kv write 
command, or they have the wrong order or format of the arguments. 
Reference: https://developer.hashicorp.com/vault/docs/commands/kv/put3, 
https://developer.hashicorp.com/vault/docs/commands/kv4 


11.What can be used to limit the scope of a credential breach? 

A. Storage of secrets in a distributed ledger 

B. Enable audit logging 

C. Use of a short-lived dynamic secrets 

D. Sharing credentials between applications 

Answer: C 

Explanation: 

Using a short-lived dynamic secrets can help limit the scope of a credential breach by 
reducing the 

exposure time of the secrets. Dynamic secrets are generated on-demand by Vault 
and automatically revoked when they are no longer needed. This way he credentials 
are not stored in plain text or in a static database, and they can be gated frequently 
to prevent unauthorized access. Dynamic secrets also provide epeéryption asa 
service, which means that they perform cryptographic operatiafts on data in-transit 
without storing any data. This adds an extra layer of securiiy’and reduces the risk of 
data leakage or tampering. Ro 

Reference: Dynamic secrets | Vault | HashiCorp Devgfoper, What are dynamic 


secrets and why do | need them? - HashiCorp & 
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12.What environment variable overrides the CLi's default Vault server address? 
A. VAULT_ADDR $ 
B. VAULT_HTTP_ADORESS S 
C. VAULT_ADDRESS of 
D. VAULT _HTTPS_ ADDRESS 

+ 
Answer: B Pod 
Explanation: oe 
The environment variate VAULT _ADDR overrides the CLI’s default Vault server 
address. The VAUL# ADDR environment variable specifies the address of the Vault 
server that is usg to communicate with Vault from other applications or processes. 
By setting this Variable, you can avoid hard-coding the Vault server address in your 
code or configuration files, and you can also use different addresses for different 
environments or scenarios. For example, you can use a local development server for 
testing purposes, and a production server for deploying your application. 
Reference: Commands (CLI) | Vault | HashiCorp Developer, Vault Agent - secrets as 
environment variables | Vault | HashiCorp Developer 
13.Which of the following statements describe the CLI command below? 


S vault login -method-1dap username-mitche1 1h 
A. Generates a token which is response wrapped 


B. You will be prompted to enter the password 

C. By default the generated token is valid for 24 hours 
D. Fails because the password is not provided 
Answer: A 

Explanation: 

The CLI command vault login -method ldap username=mitchellh generates a token 
that is response wrapped. This means that the token contains a base64-encoded 
response wrapper, which is a JSON object that contains information about the token, 
such as its policies, metadata, and expiration time. The response wrapper is used to 
verify the authenticity and integrity of the token, and to prevent replay attacks. The 
response wrapper also allows Vault to automatically renew the token when it 

expires, or to revoke it if it is compromised. The -method Idap option specifies that the 
authentication method is LDAP, which requires a username and password to be 
provided. The username mitchellh is an example of an LDAP user name, and the 
password will be hidden when entered. ad 

Reference: Vault CLI Reference | Vault | HashiCorp Develop; Vaut CLI Reference | 
Vault | HashiCorp Developer 
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14.The following three policies exist in Vault. oe 
What do these policies allow an organization todd? 
xO 
< 
A 
~ 
2 
S 
e 
Fa 
< 
ak 
S 
R\ 
oe 
S 
2 


patt transit/encrypt/my_epp_ key } 
capabilities = [|"update 
callcenter.hcl 
path “transit/decrypt/my app key” { 
apabilities = ["update” } 
rewrap.hcl 
path “transit/keys/my_app key” { 
spabilities = ["read"] 
path “transit/rewrap/my_app_key 
capabilities = | "update’ 
R\ a 


A. Separates permissions allowed on actions associated with the transit secret engine 
B. Nothing, as minimum permissions to perform useful tasks are not present 

C. Encrypt, decrypt, and rewrap data using the transit engine all in one policy 

D. Create a transit encryption key for encrypting, decrypting, and rewrapping 
encrypted data 

Answer: C 

Explanation: 

The three policies that exist in Vault are: 

admins: This policy grants full access to all secrets and operations in Vault. It can be 
used by administrators or operators who need to manage all aspects of Vault. 
default: This policy grants access to all secrets and operations in Vault except for 
those that require specific policies. It can be used as a fallback policy when no other 


policy matches. 

transit: This policy grants access only to the transit secrets engine, which handles 
cryptographic functions on data in-transit. It can be used by applications or services 
that need to encrypt or decrypt data using Vault. 

These policies allow an organization to perform useful tasks such as: 

Encrypting, decrypting, and rewrapping data using the transit engine all in one policy: 
This policy grants access to both the transit secrets engine and the default policy, 
which allows performing any operation on any secret in Vault. 

Creating a transit encryption key for encrypting, decrypting, and rewrapping encrypted 
data: This policy grants access only to the transit secrets engine and its associated 
keys, which are used for encrypting and decrypting data in transit using AES-GCM 
with a 256-bit AES key or other supported key types. 

Separating permissions allowed on actions associated with the transit secret engine: 
This policy grants access only to specific actions related to the trang secrets engine, 
such as creating keys or wrapping requests. It does not grant aceéss to other 


operations or secrets in Vault. Vv 
S 


R\ a 
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15.Your DevOps team would like to provision VMs in,@cP via a CICD pipeline. They 
would like to integrate Vault to protect the credentials used by the tool. 
Which secrets engine would you recommend? Ra 
A. Google Cloud Secrets Engine a 
B. Identity secrets engine Pia 
C. Key/Value secrets engine version 2 Eg 
. o 
D. SSH secrets engine S 
Answer: A of 
Explanation: S 
The Google Cloud Secrets Efigine is the best option for the DevOps team to provision 
VMs in GCP via a CICD Pipeline and integrate Vault to protect the credentials used by 
the tool. The Google GiSud Secrets Engine can dynamically generate GCP service 
account keys or OAdth tokens based on IAM policies, which can be used to 
authenticate anqgauthorize the CICD tool to access GCP resources. The credentials 
are automatically revoked when they are no longer used or when the lease expires, 
ensuring that the credentials are short-lived and secure. The DevOps team can 
configure rolesets or static accounts in Vault to define the scope and permissions of 
the credentials, and use the Vault API or CLI to request credentials on demand. The 
Google Cloud Secrets Engine also supports generating access tokens for 
impersonated service accounts, which can be useful for delegating access to other 
service accounts without storing or managing their keys1. 
The Identity Secrets Engine is not a good option for this use case, because it does 
not generate GCP credentials, but rather generates identity tokens that can be used 
to access other Vault secrets engines or namespaces2. The Key/Value Secrets 
Engine version 2 is also not a good option, because it does not generate dynamic 


credentials, but rather stores and manages static secrets that the user provides3. The 
SSH Secrets Engine is not a good option either, because it does not generate GCP 
credentials, but rather generates SSH keys or OTPs that can be used to access 
remote hosts via SSH4. 

Reference: Google Cloud - Secrets Engines | Vault | HashiCorp Developer Identity - 
Secrets Engines | Vault | HashiCorp Developer KV - Secrets Engines | Vault | 
HashiCorp Developer 

SSH - Secrets Engines | Vault | HashiCorp Developer 


16.Which of these is not a benefit of dynamic secrets? 

A. Supports systems which do not natively provide a method of expiring credentials 
B. Minimizes damage of credentials leaking > 

C. Ensures that administrators can see every password used S 

D. Replaces cumbersome password rotation tools and practices” 

Answer: C 
Explanation: 
Dynamic secrets are generated on-demand by Vault angħave a limited time-to-live 
(TTL). They do not ensure that administrators can sęgtevery password used, as they 
are often encrypted and ephemeral. oe 

The benefits of dynamic secrets are: Ra 

They support systems that do not natively proide a method of expiring credentials, 
such as databases, cloud providers, SSH,£€tc. Vault can revoke the credentials when 
they are no longer needed or when thedease expires. 

They minimize the damage of credepfials leaking, as they are short-lived and can be 
easily rotated or revoked. If a cregéntial is compromised, the attacker has a limited 
window of opportunity to use itséfore it becomes invalid. 

They replace cumbersome password rotation tools and practices, as Vault can handle 
the generation and revocation of credentials automatically and securely. This reduces 
the operational overhe and complexity of managing secrets. 

Reference: Po 
https://developeyiashicorp.com/vault/tutorials/getting-started/getting-started-dynamic- 
secrets], https¥”/developer.hashicorp.com/vault/docs/concepts/lease2 
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17.Which of the following cannot define the maximum time-to-live (TTL) for a token? 
A. By the authentication method t natively provide a method of expiring credentials 
B. By the client system f credentials leaking 

C. By the mount endpoint configuration very password used 

D. A parent token TTL e password rotation tools and practices 

E. System max TTL 

Answer: B 

Explanation: 


The maximum time-to-live (TTL) for a token is defined by the lowest value among the 
following factors: 

The authentication method that issued the token. Each auth method can have a 
default and a maximum TTL for the tokens it generates. These values can be 
configured by the auth method’s mount options or by the auth method’s specific 
endpoints. 

The mount endpoint configuration that the token is accessing. Each secrets engine 
can have a default and a maximum TTL for the leases it grants. These values can be 
configured by the secrets engine’s 

mount options or by the secrets engine’s specific endpoints. 

A parent token TTL. If a token is created by another token, it inherits the remaining 
TTL of its parent token, unless the parent token has an infinite TTL (such as the root 


token). A child token cannot outlive its parent token. > 
System max TTL. This is a global limit for all tokens and leases in vault. It can be 
configured by the system backend’s max_lease_ttl option. ad 


The client system that uses the token cannot define the maximfim TTL for the token, 
as this is determined by Vault’s configuration and policies. Fhe client system can only 
request a specific TTL for the token, but this request is subject to the limits imposed 
by the factors above. oe 
Reference: oe 
https://developer.hashicorp.com/vault/docs/congépts/tokens3, 
https://developer.hashicorp.com/vault/docs/ceficepts/lease2, 
https://developer.hashicorp.com/vault/docs4tommands/auth/tune4, 
https://developer.hashicorp.com/vault/aocs/commands/secrets/tunes, 
https://developer.hashicorp.com/vayli¥docs/commands/token/create6 
o” 

ra 
18.What are orphan tokens3¢ 
A. Orphan tokens are tokgiis with a use limit so you can set the number of uses when 
you create them R\ 
B. Orphan tokens a£ not children of their parent; therefore, orphan tokens do not 
expire when thejsparent does 
C. Orphan tokéns are tokens with no policies attached 
D. Orphan tokens do not expire when their own max TTL is reached 
Answer: D 
Explanation: 
Orphan tokens are tokens that are root of their own token tree. This means that they 
do not have any parent token associated with them, and they do not expire when their 
parent token expires. Orphan tokens are useful for scenarios where you need a short- 
lived and independent token, such as for testing or debugging purposes. Orphan 
tokens can also be used to create temporary access tokens for applications or 
services that need to communicate with Vault without using a long-lived root token. 
Reference: Tokens | Vault | HashiCorp Developer, Vault cli: how to create orphan 


token with role - HashiCorp Discuss 


19.To give a role the ability to display or output all of the end points under the 
/secrets/apps/* end point it would need to have which capability set? 

A. update 

B. read 

C. sudo 

D. list 

E. None of the above 

Answer: C 

Explanation: 

To give a role the ability to display or output all of the end points undegsthe 
/secrets/apps/* end point, it would need to have the list capability set’ The list 
capability allows a role to perform any operation on any path in Yatilt, including 
reading, writing, deleting, and listing. The list capability is requifed for roles that need 
to access sensitive data or perform administrative tasks in vault. The other 
capabilities are not relevant for this scenario, as they only allow specific operations on 


specific paths or secrets engines. os 
Reference: Policies | Vault | HashiCorp Developer, ken capabilities - Command | 
Vault | HashiCorp Developer we 
xO 
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20.You have been tasked with writing a policy that will allow read permissions for all 
secrets at path secret/bar. The usergfhat are assigned this policy should also be able 
to list the secrets. of 
What should this policy look ee 


A) R 
NA 
9 
path “secret/bar/*" { 
capabilities = ["read”,“list™ | 


path “secret/bar/*” { 


capabilities = [“list*™] 


bat 


path “secret/bar/” { 


capabilities = ["read"] 


C) 
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path “secret/bar/*" { g 
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path “secret/bar/™ { RG 
Eee ° 
capabilities = [|“list™] © 
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A. Option A 

B. Option B 

C. Option C 

D. Option D 

Answer: C 

Explanation: 

This policy would allow read permissions for all secrets at path secret/bar, as well as 
list permissions for the secret/bar/ path. The list permission is required to be able to 
see the names of the secrets under a given path1. The wildcard () character matches 


any number of characters within a single path segment, while the slash (/) character 
matches the end of the path2. Therefore, the policy would grant read access to any 
secret that starts with secret/bar/, such as secret/bar/foo or secret/bar/baz, but not to 
secret/bar itself. To grant list access to secret/bar, the policy needs to specify the 
exact path with a slash at the end. This policy follows the principle of least privilege, 
which means that it only grants the minimum permissions necessary for the users to 
perform their tasks3. 

The other options are not correct because they either grant too much or too little 
permissions. Option A would grant both read and list permissions to all secrets under 
secret/bar, which is more than what is required. Option B would grant list permissions 
to all secrets under secret/bar, but only read permissions to secret/bar itself, which is 
not what is required. Option D would use an invalid character (+) in the policy, which 


would cause an error. > 
Reference: Policy Syntax | Vault | HashiCorp Developer Pa 
Policy Syntax | Vault | HashiCorp Developer ad 
Policies | Vault | HashiCorp Developer af 
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